> At 11:58 AM -0400 6/25/02, Keith Moore wrote: > > > We seem to agree that the DNS could be sued to distribute certs, so > >> the question is what should the certs attest to and who should issue > >> them. I argue that we need certs that support validation of DNS > >> bindings, and that the only authoritative sources for that info are > >> the folks who manage the DNS. > > > >and there is no assurance that they're trustworthy. > > since trustworthiness is a relative term, that can always be said > about any CA. that's why I don't like dealing with CAs based on > trust. authoritativeness is a quality that is less contentious in > many contexts, including this one. the question is why IETF should endorse the idea of TLDs (or other zones) being CAs when that is not needed to authenticate the RRs for which the zones are responsible. > and a DNS-based PKI would not require anyone to trust it. no, but IETF would be blessing the idea of TLDs becoming CAs when this is not necessary for them to serve their function, and then saying on the other hand "of course it's your choice about whether to trust them". it reminds me of the "voluntary" income-tax collection system we have in the US. > you fear that people would decide to rely on this new aspect of the > infrastructure and you think that, because of the specific > organizations operating some TLDs, that this would be a bad choice. no, it's not *because* of the specific organizations. however specific organizations have demonstrated that TLDs are not necessarily trustworthy. or to put it another way, the trustworthiness of the DNS system as a whole is maximized if the shared zones (those that are not delegated to a single private individual or organization) are not given more responsibility or authority than absolutely necessary. Keith